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FOREWORD 


The EU data economy is expected 
to amount to €827 billion by 2025," 
and the ability to transfer data 
across borders will be crucial 

for the recovery of the European 
economy after the COVID crisis. 


There is no doubt that the decision of the 
Court of Justice of the EU (CJEU) taken in 
Schrems II has dramatically altered the 
state of international data flows.” 


Our respective memberships, hailing 

from many different sectors, crucially rely 
on international data flows to carry out 
their business operations. Manufacturers 
supporting their customers overseas, 
health companies developing vaccines to 
end the global pandemic, any company 
incorporating advanced data analytics 
and machine learning methods into its 
services or simply having employees in 
multiple countries - all these data transfers 
predominantly rely on standard contractual 
clauses (SCCs) to legally carry out these 
day-to-day activities. 


While Schrems Il confirmed that SCCs 
remain a valid data transfer tool, it placed 
greater responsibilities on businesses to 
assess whether a third country’s domestic 
laws and practices afford equivalent 
protection before each individual 

data transfer is made. If a risk of non- 
equivalence exists, the business exporting 
the data would have to put ‘supplementary 
measures’ in place. 


Not only does this represent a large burden 
increase in demonstrating compliance, but 
also legal uncertainty. 


How are European SMEs expected to 
determine the legal frameworks of a 
multitude of foreign states? Will their 
assessments of risk and the related 


supplementary measures be accepted by 
regulators? 
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The European Data Protection Board 
(EDPB) has begun to interpret the 

ruling and offered draft guidance 

to organisations on these issues.’ It 
seems to us that in its current form such 
guidance would make it very difficult 

for businesses to rely on SCCs. This is 

not only in conflict with the European 
Commission’s new draft set of SCCs,* but 
even with the Schrems Il decision itself. 


In order to ensure a pragmatic 

and legally certain situation for 
international data flows, we need a 
deep understanding of how SCCs work 
in real life: who are they used by, for 
what purposes, and what actual risks 
do these transfers entail? To this end, 
we want to contribute the best data we 
have to date. We believe this is crucial 
insight to guide decision-makers. Not 
least because 75 per cent of those 
using SCCs are European, and Europe’s 
prosperity and global influence rely 
upon their use. 


5% 


of our respondents 
using SCCs are 
European 


With this survey we not only try to 
provide a snapshot of how personal 
data is transferred from Europe to the 
rest of the world, we also would like to 
contribute to a fact-based pragmatic 
solution going forward. Let’s make 
sure that Europe’s interpretation of the 
Schrems Il ruling enables a practical 
and safe path for businesses to continue 
transferring data across borders in a 
globalised economy. 


Markus J. Beyrer 
Director General 
BusinessEurope 


Eric-Mark Huitema 
Director General 
ACEA 


1 European Commission, The European data market study update, 2020 


2 Case C-311/18 


3 European Data Protection Board, Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU 


level of protection of personal data, 2020 


* European Commission, Data protection - standard contractual clauses for transferring personal data to non-EU countries (implementing act), 2020 
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This survey provides a snapshot of how 
personal data is transferred from Europe 
to the rest of the world. In particular, 

our goal has been to provide estimates 
about the use of SCCs - one of the legal 
mechanisms for transfers envisaged 
under the General Data Protection 
Regulation (GDPR) - in order to 
understand the economic impact of the 
recent Schrems Il ruling. 


While famous for annulling the EU-US 
Privacy Shield, the ruling requires all 
organisations transferring personal data 
outside the European Economic Area (EEA) 


to assess or reassess their use of SCCs 
in order to verify that it complies with 
the conditions set out in the ruling, 
notably in terms of preventing access by 
third-country governments. 


The impact of these obligations can be 
significant, considering that potentially 
they apply to all data controllers and 
processors in the EEA, which for the most 
part are SMEs. However, real-world data 
about the use of SCCs has so far been 
lacking, and the economic impact of 
complying with the ruling remains largely 
unknown. 


Our data shows that: 


> SCCs are by far the most widely 


used mechanism for data transfers. 
Of all companies surveyed, 85 per 
cent are estimated to use SCCs, 
while other transfer mechanisms 

such as adequacy decisions, binding 
corporate rules (BCRs) or derogations 
(e.g. consent) account for a little more 
than 5 per cent of transfers. Only 9 per 
cent of companies surveyed do not 
appear to be transferring any data 
outside the EU. 


D The vast majority of companies 


using SCCs (75 per cent) have their 
headquarters in Europe, with US- 
headquartered companies coming in 
a distant second (13 per cent). 


> The information and communications 


technology (ICT) sector is the single 
largest user (37 per cent), but just 
about all industry sectors rely on SCCs 
for their transfers, with manufacturing 
coming in second (22 per cent). 


> Most companies using SCCs are 


business-to-business (B2B) entities 
(90 per cent) relying on data transfers 
to enable service offerings to other 
companies. Only 10 per cent of 
respondents are pure business-to- 
consumer (B2C) companies. 


° Base = 166 


> Over half of SCC users transfer 


data to close business partners or 
non-EU subsidiaries (57 per cent use 
controller-to-controller SCCs), while 
almost all transfer data in order to 
outsource processes or services (92 
per cent use controller-to-processor 
SCCs).° 


> Three-quarters of companies aware 


that they are using SCCs transfer 
data to more than one non-EU 
country. Almost everybody transfers to 
the US, but six out of ten transfer data 
to Asia or the UK. South America, the 
Middle East and Africa account for a 
smaller but not insignificant portion of 
transfers. 


> Nine in ten companies that have 


reassessed their use of SCCs to 
comply with the ruling consider that 
the cost of doing so is moderate or 
high. Only half of estimated SCC users 
have reassessed their use of SCCs. 


> 25 per cent of respondents appear 


not to be aware that they transfer 
data outside of the EU, most likely 
through SCCs. This is despite the fact 
that most contributions to the survey 
have come from data protection or 
compliance professionals. SMEs are 
more likely to be in this group but 
almost a quarter of bigger companies 
are also affected. This proves a fairly 
widespread lack of understanding 
about personal data transfers and 
the ensuing obligations, which may 
expose companies to sanctions for 
GDPR infringement. 
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5% 


of companies 
surveyed are 
estimated 

to use SCCs 


2% 


of companies that 
have reassessed 
their use of SCCs 
consider that the 
cost of doing sois 
moderate or high 
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Survey methodology 


The data in this report is derived from a survey conducted between 26 October 
and 18 November 2020 by DIGITALEUROPE, BusinessEurope, the European 

Round Table for Industry (ERT) and ACEA. For a list of National Trade Associations 
that may have shared the survey with their members, please consult the 
DIGITALEUROPE and the BusinessEurope websites. In total, 292 responses were 
collected from companies headauartered in 25 different countries. Survey 
respondents are from all major industries, with the exception of transport and 
postal services, and a mix of company sizes. More than 75 per cent of responses 
came from privacy or compliance professionals; another 20 per cent came from 
business line managers. 


Companies of all sizes 
and sectors use SCCs 


A striking majority of companies Only 9 per cent of respondents keep 
transfer data outside Europe and do their data purely within the EU, and only 
so by incorporating SCCs into their 5 per cent transfer data using other 
contracts. This includes virtually all larger legal transfer mechanisms such as BCRs 
companies above 250 employees, but or adequacy decisions adopted by the 
also more than two-thirds of all SME European Commission. 

respondents. 


COMPANIES OF ALL SIZES, INCLUDING TWO-THIRDS OF SMEs, 
RELY ON SCCs 


Figure 1: % of respondents by company size estimated to use SCCs 


SMEs 
(1 to 249 employees) (250 to 1,999 employees) (2,000+ employees) 


70% 90% 


95% 


Source: DIGITALEUROPE | Base: estimated SCC users (n = 249) 
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ONLY 9% OF RESPONDENTS DO NOT TRANSFER DATA OUTSIDE OF 
THE EU, AND ANOTHER 5% USE OTHER TRANSFER MECHANISMS 


Figure 2: % of respondents by the way they transfer personal data 


5, Using other transfer 
9% O mechanisms 

Oo 
Not transferring personal a 


data outside of the EU 


60% 


Known 
SCC users 


25% 


Unaware 
SCC users 


Source: DIGITALEUROPE | Base: All respondents (n = 292)* 


While the different branches of ICT are the single largest user, SCCs are used for data 
transfers by a variety of industry sectors, with manufacturing in second place. 


JUST ABOUT ALL INDUSTRY SECTORS RELY ON SCCs FOR THEIR 
TRANSFERS OF PERSONAL DATA 


Figure 3: % of respondents by sector, amongst SCC users 


Information, media & telecommunications EE = 37% 
Manufacturing EE 22% 
Professional, scientific & technical services EE 15% 
Financial & insurance sad 10% 
Retail [5% 
Agriculture, forestry & fishing | | 3% 
Health & social care [3% 
Electricity, gas & water services Ed 2% 


Construction | 1% 


Hospitality || 1% 
Source: DIGITALEUROPE | Base: estimated SCC users (n = 249) 


5 Known SCC users consist of respondents that answered ‘Yes’ to the question as to whether their organisation uses SCCs. Unaware SCC users 
consist of respondents that answered ‘No’ to the question as to whether their organisation uses SCCs, or do not know whether it does, but whose 
organisation has an establishment outside of the EEA or utilises non-EU service providers. 

7 We note that almost half of responses come from digital trade associations’ members. As a result, the answer to this question may be skewed 
towards the ICT sector. 


European companies 
are heavy users of SCCs 


EU-headquartered companies account for nearly eight out of 10 users of SCCs. Only 13 
per cent of respondents transfer data to a US-headquartered parent, while 8 per cent 
transfer to a UK headquarters. 


EUROPEAN COMPANIES ARE HEAVY USERS OF SCCs 


Figure 4: % of respondents using SCCs by HQ location 


& United States EA 13% 
[ I United Kingdom 8% 
<i> 


Other 
(includes Japan, Canada 3% 


and Switzerland) 


Source: DIGITALEUROPE | Base: estimated SCC users (n = 249) 
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SCCs are critical for 
business operations 


SCCs highlight the complex nature of Data flows and SCCs are part and parcel 
modern economies, where business of long business value chains. Most 
relationships involve multiple entities companies using SCCs do so to provide 
performing different functions, including services and products exclusively to other 
within the same group of companies businesses, followed by companies that 
operating internationally. also provide direct services to consumers. 


Only a minority of respondents are pure 
consumer-facing companies. 


MOST USERS OF SCCs ARE USING THEM TO PROVIDE SERVICES 
AND PRODUCTS TO OTHER BUSINESSES 


Figure 5: % of SCC users by segment 


36% 10% 


B2B only B2B & B2C B2C only 


Source: DIGITALEUROPE | Base: estimated SCC users (n = 249) 


While most companies using SCCs them also transfer data to one or multiple 
transfer data to ‘processors’ (other other ‘controllers’ (entities that will use the 
entities that process data based data independently, for example for their 
strictly on the transferring company’s own manufacturing or sales operations). 
instructions, for example for payroll These can be non-EU subsidiaries or 
management), more than half among close business partners. 


OVER HALF OF SCC USERS TRANSFER DATA TO CLOSE BUSINESS 
PARTNERS OR NON-EU SUBSIDIARIES THAT NEED IT FOR THEIR 
OWN OPERATIONS 


Figure 6: % of respondents by type of SCCs used 


Controller-to- 
controller SCCs 


92% À processor secs 57% 


Source: DIGITALEUROPE | Base: SCC users that are aware of the type of SCCs they use (n = 166) 
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SCCs are used fo transfer 
data across the world 


SCCs underpin trade relations, 

very rarely with just one country. 
Three-quarters of companies who 

are aware that they use SCCs transfer 
data to more than one non-EU country 
simultaneously. 


While almost everybody transfers to 
the US, SCCs are used by six out of ten 
respondents to transfer data to Asia 

or the UK. South American and African 
countries are also relevant destinations 
for European companies using SCCs. 


SCCs ARE USED TO TRANSFER DATA GLOBALLY, WITH 3/4 OF 
RESPONDENTS TRANSFERRING DATA TO MORE THAN ONE GEOGRAPHY 


Figure 7: % of respondents that use SCCs to transfer data from Europe (EEA) to: 


EU - UK 


EU - USA 


EU - SOUTH AMERICA 


EU - ASIA 


EU - MIDDLE EAST 
& AFRICA 


Source: DIGITALEUROPE | Base: SCC users that are aware of which geography they transfer data to (n = 172)® 


€ Many of our respondents selected ‘other,’ mentioning countries such as Australia, Russia and others. Switzerland, Canada and Japan 
are among the third countries recognised by the European Commission as providing adequate protection; they therefore do not 


appear on this list as transfers to those countries do not require SCCs. 
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The ruling’s impact is 
substantial, and many 
companies are 
unprepared 


Just over half of companies estimated to use SCCs have 
reassessed their use as required by the Schrems II 
ruling in order to be able to rely on SCCs. Among 
these, 92 per cent of respondents find that the cost of 
such assessment has been moderate or high for them. 


i Only half of estimated SCC users have 
reassessed their use, as required by the 
Schrems II ruling. 


92% OF COMPANIES FIND THE COST OF REASSESSING THEIR USE 
OF SCCs TO BE MODERATE OR HIGH 


Figure 8: % of respondents that estimate that the cost of reassessing SCCs has been: 


Moderate 46% 


Negligible it 8% 


Source: DIGITALEUROPE | Base: respondents that reassessed their use of SCCs (n = 129) 


Particularly given the overall high 
proportion of privacy/compliance 
professionals who contributed to the 
survey, we were surprised to find that 
25 per cent of companies surveyed 
are almost certainly transferring data 
- and are therefore most likely using 
SCCs, or should be putting them in 
place - yet are not aware of it. 


For example, 68 per cent of those 
who do not know whether their 
company is transferring data, or 
believe it is not transferring data, 
either have an establishment outside 
the European Economic Area (EEA) or 
are outsourcing services to non-EU 
companies, or both. In the former 
case, they simply do not have a legal 
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mechanism in place for the transfer; 
in the latter case, they are using SCCs 
and should be reassessing them in 
light of the ruling. Either way, they are 
unprepared to comply with the ruling 
and are exposed to sanctions for 
GDPR infringement. 


Among the SMEs surveyed, 39 per 
cent are unaware that they are likely 
transferring personal data using SCCs 
- more than those who are aware 

(30 per cent). Three out of ten other 
companies under 2,000 employees, 
where resources might be scarce, are 
also concerned. Larger companies are 
less affected, yet 12 per cent of those 
surveyed appear unaware that they 
are likely users of SCCs. 


SMEs ARE LARGELY UNAWARE OF HOW THEY DEAL WITH PERSONAL 
DATA, AND ARE THEREFORE UNPREPARED TO COMPLY WITH THE 
SCHREMS II RULING 


Figure 9: % of total respondents by the way they transfer personal data and company size 


2,000+ 
employees 


250 - 1,999 
employees 


SMEs 
1-249 
employees 


® Aware SCC users ® Not transferring personal data outside of the EU 


© Unaware SCC users O Use other transfer mechanisms 


Source: DIGITALEUROPE | Base: All respondents (n = 292)? 


° Respondents in the category of ‘unaware SCCs users do not substantially deviate from other categories. Data protection or compliance 
professional represent 59% of those answers, while business line managers represent 37%. 
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